Fault-tolerant synchronisation device for a real-time computer network

ABSTRACT

The invention enables fault-tolerant synchronization of real-time equipment connected to a computer network of several tens of meters with an option of including or not including such equipment in the synchronization device. It provides global scheduling of the real-time computer platform in the form of minor and major cycles in order to reduce latency during sensor acquisition, the associated calculation and preparation of output to the actuator in an integrated modular avionic (IMA) architecture. In order to do this, it uses a synchronization bus separate from the data transfer network and circuits interfacing with this specific bus for processing the local real-time clocks in each piece of equipment in a fault-tolerant, decentralized manner.

[0001] The present invention belongs to the field of hardware and software for fault-tolerant real-time computer networks. More specifically, it relates to the synchronization of equipment connected to said network.

[0002] The problem to be solved is the failure-free phasing of the real-time clocks of processing equipment connected by one or more data transfer networks. The fact of a reliable solution being provided to this problem is particularly important for the latency of data in the case of equipment on board aircraft, especially that which fulfills the functions of alarm, autopilot, flight plan, maintenance or service management.

[0003] The relevant state of the art is represented by U.S. Pat. Nos. 5,307,409, 5,343,414, 5,386,424 and 5,557,623. These systems further form the subject of an ARINC 659 standard (Dec. 27, 1993) corresponding to a data transfer system via backplane bus.

[0004] The drawbacks of this state of the art are basically the short distance over which reliable synchronization is possible (approximately a meter owing to the need for a ground reference common to all the subscribers) and the lack of versatility of the system, all the equipment having to be synchronized, the backplane bus ensuring both data transfer and synchronization signals.

[0005] The device according to the invention can be used for reliable synchronization over several tens of meters and allows the choice of including or not including in the synchronization any equipment connected to the network by separating the data transfer and the synchronization bus of the equipment. This synchronization is less accurate than that of the ARINC 659 standard, but it enables using high-speed data transfers over much greater distances.

[0006] For these purposes, the invention provides a device for synchronizing the local real-time clocks of computer equipment connected to a data transfer bus including electronic circuits for generating synchronization pulses, counting circuits for generating the local real-time clock and exchanging pulses with the other synchronization entities, time voting circuits for resynchronizing the counting circuits, characterized in that the pulses are conveyed via a specific synchronization bus.

[0007] The invention will be better understood, and its various characteristics and advantages will emerge from the description that follows of an example of embodiment, and of its attached figures, in which:

[0008]FIG. 1 shows the architecture of the synchronization platform according to the invention;

[0009]FIG. 2 shows the principle on which synchronization by the invention is based;

[0010]FIG. 3 shows an embodiment of the device according to the invention;

[0011]FIG. 4 sets out the voting scheme used to provide a synchronized, reliable real-time clock according to the invention;

[0012]FIG. 5 sets out the coding scheme used for interlacing different modes of synchronization;

[0013]FIG. 6 depicts some states of the device according to the invention in operation.

[0014] The computer platform in FIG. 1 includes at least one central processing unit or CPU (11), several input/output or I/O units (21, 22), cabinet switches (31, 32). This equipment is interconnected via a duplex data network (41) for example of the Full Duplex 100 MHz Ethernet type. The platform shown is connected to other different platforms via the switches (31, 32) and the bus (51).

[0015] The central processing units (11, 21, 22) each include an actual processing system (110) where the specific processing of the unit and the control of the data network are carried out via the End System or ES (111), a real-time clock or RTC (112) and the synchronization entity or Sync (113, 213, 223) according to the invention.

[0016] The synchronization entities (113, 213, 223) are interconnected via a specific synchronization bus (61) separate from the data link (41), details of whose specific embodiments are provided farther on in the description.

[0017] The synchronization entities (113, 213) are each composed of two restoring units SU_(x) and SU_(y) (FIG. 2). Each unit SU_(x), SU_(y) comprises a local oscillator H_(x), H_(y) (FIG. 3), a configuration table CONF TABLE with an initialization wait time value “init wait time”, at least a first synchronization period value “miF value (s)” and a second synchronization period value “MAF value” for describing the cyclic sequencing of the platform in the form “Minor frame/Major Frame” so as to phase the different processing cycles of the CPU (11) and I/O (21, 22) equipment for reducing the latency of transfers of data exchanged according to the cycle number. The redundant SU_(x), SU_(y) units are directly interconnected so as to exchange local real-time clock control signals “RTC ctrl” and state control signals “state ctrl”.

[0018] Each synchronization unit SU_(x), SU_(y) receives a synchronization configuration signal CONFIG_SYNC from its local processor (110, 210, 220) and sends back a real-time clock signal RTC.

[0019] Each synchronization unit SU_(x) (respectively SU_(y)) sends two signals A_(x), B_(x) (respectively A_(y), B_(y)) over the specific synchronization bus (61) and receives four signals A_(x), B_(x), A_(y), B_(y).

[0020] Each synchronization unit SUx, SUy advantageously includes specific circuits (711, 712) for connecting to the specific synchronization bus (61).

[0021] Preferably, these specific circuits (711, 712, 721, 722) will be bidirectional differential drivers of the CAN (controller area network) bus conforming to the specifications of ISO standard 11 898 (ISO reference number 11 898 : 1993 (E)), a document to be referred to if necessary in order to understand the operation of the CAN. These circuits are chiefly used in automotive vehicle high-speed data exchange local area networks. An example of this type of circuit is the PCA 82 C 250 driver of the Philips Semiconductors Company (reference: Data Sheet of Oct. 21, 1997).

[0022] These circuits are particularly advantageous by reason of the properties of the “recessive” and “dominant” states on the differential link, which are used by the invention to perform a wired OR between several emitters without a common ground reference over several tens of meters (this property is used in the CAN standard for performing bus arbitration between the different terminals). Each pair of circuits (71, 72) may therefore be connected separately to a specific power supply (95, 96) of the equipment and electrically isolated from the other equipment of the platform.

[0023] In FIG. 4, the synchronization sequence of the “_clk” type channels A_(x), B_(x), A_(y), B_(y) uses the local oscillator H_(x), H_(y) of each synchronization unit SU_(x), SU_(y). The sequence includes a calibrated synchronization pulse “Sync pulse (calibrated)” for rephasing the local real-time clock RTC and a synchronization type pulse “Sync type (duration)” for indicating the type of platform cycle (minor-frame/major frame) (FIG. 5).

[0024] Each synchronization pulse comprises a recessive part and a dominant part. From the recessive state, the “_clk” type signal is placed in the dominant state for a few local oscillator periods, then it is placed in the recessive state. The duration of this dominant state depends on the type of pulse.

[0025] The local oscillator H_(x), (respectively H_(y)) has a period of approximately 5 μs. The calibrated pulse is generated by the unit Su_(x) (respectively Su_(y)) on its own signals A_(x), B_(x) (respectively A_(y), B_(y)). Each unit re-reads the four channels A_(x), B_(x), A_(y), B_(y). Based on the current state of the signals read on these 4 channels, it performs a vote during an “expected window” of a duration of several periods of the local oscillator. It detects the coherent switching of the signals on the channels A_(x), B_(x), A_(y), B_(y) called “Edge detection”. “Edge synchronization” phasing of the local real-time clock RTC takes place in at least three, at most four oscillator periods after edge detection.

[0026]FIG. 4 explains how the calibrated synchronization pulses generated on the four channels A_(x), B_(x), A_(y), B_(y) of the specific bus (61) are combined to generate an “RTC vote” which takes into account both the time shifts of the local oscillators H_(x), H_(y) and the faults of each synchronization unit SU_(x), SU_(y).

[0027] The voting result on the four channels is given by the following logic expression:

[0028] RTC vote=(A_(x) or A_(y)) and (B_(x) or A_(y)) and (A_(x) or B_(y)) and (B_(x) or B_(y)).

[0029] This voting is generally called majority voting. It is differentiated from quadruplex voting by the elimination of the terms (A_(x) or B_(x)) and (A_(y) or B_(y)) originating from a single unit SU_(x) or SU_(y), which propagate a fault in the event of failure of such a single unit. The decision table is therefore as follows: Ax Ay Bx By RTC Vote 1 1 1 1 1 1 1 1  1 1 1  1 1 1 1    1  1 1 1 1  1  1 1   1  1       1 1    1      1        1 1 1 1  1 1    1  1 1  1   

[0030] The accuracy of the internal local oscillator H_(x) (respectively H_(y)) of the synchronization unit SU_(x) (respectively SU_(y)) will be chosen equal to or better than 100 ppm so that for a synchronization period miF of 50 ms for example, the tolerance on the drift of the local real-time clock RTC will be less than one period of the local oscillator, i.e. 5 μs.

[0031]FIG. 5 explains the way in which the type of synchronization is code. The “Sync type (duration)” pulse follows the calibrated synchronization pulse. The code corresponds to three different values of the pulse times (for example 2, 3 and 4 local oscillator periods). The three values represent the following instructions: Init_Sync Initiate a synchronization sequence Start_miF Start a miF type sequence Start_MAF Start a MAF type sequence

[0032] A miF (minor frame) sequence corresponds to an elementary period of the local real-time clock RTC (112), that is, a few tens of milliseconds. A MAF (major frame) sequence corresponds to a succession of different miFs until the resumption of the initial miF. The period of the MAF can be several orders of magnitude greater than miF, e.g. 100 times, that is, a few seconds. These values depend on the types of equipment that we wish to synchronize, the optimum MAF value having to be adjusted to a value determined from the lowest common multiple of the miFs.

[0033] Example: 100 cycles of 10 ms miF form a MAF cycle of 1 s.

[0034] Voting is also performed on the synchronization type.

[0035] The encoding, decoding, voting on the code and controlling the state of the synchronization unit are performed by a programmable logic circuit (91, 92).

[0036]FIG. 6 shows the main state transition diagrams.

[0037]FIG. 6.0 shows a general view of the transitions between the states: “Sync disable”, “Wait”, “In sync” and “Out of sync”.

[0038] The transitions from/to the “Sync disable” state are triggered by commands from the local processor (Host command: CONFIG_SYNC=ON/OFF).

[0039] After a CONFIG_SYNC=ON command, the synchronization unit SU_(x), SU_(y) changes to the “Wait” state. The processing unit enters the operational phase (“LRM entering OPS mode”), places itself in the “Out of sync” state waiting for an “Init_sync” or “Start_MAF” sequence. An “Init_sync” sequence is sent by the synchronization unit if no activity is detected before the end of the waiting period.

[0040] A “Start_MAF” sequence is sent after the “Init_Sync” sequence. One of these two sequences triggers the transition from the “Out of sync” state to the “In sync” state.

[0041]FIG. 6.1 shows more precisely how the time dimension fits into this state transition, together with the miF sequence.

[0042] The transition from the “In sync” state to the “Out of sync” state is triggered by the Sync_lost sequence generated if SU_(x), SU_(y) receives a synchronization pulse outside the “expected window” (RTC vote=Ø) or if there is disagreement over the type of synchronization (Sync Type vote=Ø).

[0043]FIG. 6.2 details these transitions of state taking into account the two votes, the two synchronization frames (miF and MAF) and the iterations (i=i+1: “next time window”). The voting on the synchronization types can be advantageously of the preceding majority type among the four channels.

[0044] In one embodiment, the ratio of the major cycle period to that of the minor cycle is between 2 and 10000.

[0045] The invention is not limited to networks for equipment on board aircraft. It can also be applied to local area networks (LANs) and to networks for equipment on board ships. 

1. A device for synchronizing local real-time clocks (112, 212, 222) of computer equipment connected to a data transfer bus (41) comprising electronic circuits (711, 712, 721, 722) for generating synchronization pulses (A_(x), B_(x), A_(y), B_(y)), counting circuits (91, 92) for generating the local real-time clock (112, 212, 222) and exchanging the pulses (A_(x), B_(x), A_(y), B_(y)) with the other synchronization entities (113, 213, 223), time voting circuits (81, 82) for resynchronizing the counting circuits (91, 92), characterized in that the pulses (A_(x), B_(x), A_(y), B_(y)) are conveyed by a specific synchronization bus (61).
 2. The device as claimed in claim 1, characterized in that it further includes power supplies (95, 96) separate from the other synchronization entities.
 3. The synchronization device as claimed in one of the preceding claims, characterized in that the exchanges on the channels A_(x), B_(x), A_(y), B_(y) are formed in synchronization pulse (Sync pulse) and in synchronization type coding (Sync type).
 4. The synchronization device as claimed in one of the preceding claims, characterized in that the electronic circuits (711, 712, 721, 722) generate pulses (A_(x), B_(x), A_(y), B_(y)) on differential lines with dominant and recessive states.
 5. The synchronization device as claimed in claim 4, characterized in that the electronic circuits (711, 712, 721, 722) are of the CAN network bidirectional driver type.
 6. The synchronization device as claimed in one of the preceding claims, characterized in that the time voting of the pulses (A_(x), B_(x), A_(y), B_(y)) in the logic circuits (81, 82) is quadruplex majority voting by eliminating the pairs (A_(x) or B_(x)) and (A_(y) or B_(y)) originating from the same synchronization unit SU_(x), SU_(y).
 7. The synchronization device as claimed in one of the preceding claims, characterized in that the synchronization of the equipment of the computer platform is achieved in the form of minor and major cycles of multiple periods.
 8. The synchronization device as claimed in one of the preceding claims, characterized in that the ratio of the major cycle period to that of the minor cycle is between 2 and
 10000. 9. The synchronization device as claimed in one of the preceding claims, characterized in that a piece of equipment (11, 21, 22) may or may not be placed in synchronization without disrupting the other pieces of equipment of the platform that have already been synchronized with each other.
 10. Computer equipment including a synchronization device as claimed in one of the preceding claims.
 11. A synchronization method for computer equipment comprising four operating states (Sync disable, Wait, Out of sync, In sync), by exchange of synchronization pulses, characterized in that the pulses (A_(x), B_(x), A_(y), B_(y)) are conveyed by a specific synchronization bus (61).
 12. The synchronization method as claimed in claim 11, characterized in that a transition from the (Out of sync) state to an (In sync) state is triggered by the expiration of a waiting time or the sending of a synchronization initialization sequence (Init sync) or of a synchronization sequence of a first type (Start_miF) or of a second type (Start_MAF).
 13. The synchronization method as claimed in claim 11, characterized in that a transition from the (In sync) state to an (Out of sync) state is triggered by the arrival of unexpected synchronization sequences or by a first negative vote on four signals (A_(x), B_(x), A_(y), B_(y)) or a second negative vote on three codes (Init_sync, Start_miF, Start_MAF).
 14. The synchronization method as claimed in claim 13, characterized in that the first and second votes are of the same type.
 15. The synchronization method as claimed in claim 12 or claim 13, characterized in that the synchronization sequences have a minor cycle and a major cycle of multiple periods.
 16. The synchronization method as claimed in claim 15, characterized in that the ratio of the major cycle period to that of the minor cycle is between 2 and
 10000. 